Planning to launch my second Forum in XenForo (Hello Cloud!) - Some Security and Privacy Questions

[deslocotoco]

Quick disclaimer: If XF Team prefer to discuss this in private, please delete the thread and contact me via PM to go on.

Hello my dears members of this great community,

Since the relative success of my first Forum, i started another small enterprise that will be, for sure, based on XenForo (probably going XF Cloud if possible ).

I'm still on the early stages of planning, implementing, calculating operational costs and this kind of stuff.

Since my new site is going to be for internal use in my office (lawyer office, btw), I'm going to use XF as communication system. Because the theme, subjects, client data and files is very sensitive, I'm here to ask about the security and privacy if i use XF.

I already known that XF have very good and granular permissions tool, even setting as a private Forum, and option to need login to give full access, right?

But this is enough? This forms of 'protection' can turn my Forum as a totally private for public (or, not authorized people to enter and see the content)?

If not, i would like a quote on that, on what i have to do to well, become "full private".

I don't want to see my cases roaming around the internet because some leaking of data because the login won't handled the public view.

Note: i don't want to use any other system. Have to be in a Forum and XenForo.

That's it.

Thanks!

 

[Paul B]

The main view permission will prevent unregistered visitors from accessing any content.

 

[Mr Lucky]

But this is enough?

I assume it is enough in that xenForo permission system itself is secure enough . I would insist on two factor and strong passwords. You could even get a password protection on the directory on the server for belt and braces.

And of course noindex all the forums, but bots should not get there anyway if no access for guests

 

[deslocotoco]

The main view permission will prevent unregistered visitors from accessing any content.

So that's i was hoping to read. Thanks Brogan.

I assume it is enough in that xenForo permission system itself is secure enough . I would insist on two factor and strong passwords. You could even get a password protection on the directory on the server for belt and braces.

And of course noindex all the forums, but bots should not get there anyway if no access for guests

Basically, my check list for a totally ultra giga private only access XF Forum would be:

• Disable guests access by revoking the main view permission;
• Block any bots and crawlers (robots.txt maybe?) and noindex, of course;
• Disable registration, for manual profile creation user by user;
• A lot of attention on setting the permissions system;
• Impose mandatory lockdown (ops, COVID-19 feelings) strong password with two factor auth;

Any more follow ups and tips on that matter or that's fine?

 

[Mr Lucky]

If it’s only used in your office then you can deny access to any other IP addresses in the htaccess file.

 

[Max Taxable]

Block any bots and crawlers (robots.txt maybe?)

Robots.txt doesn't block anything. Noble crawlers typically obey it while any less than noble ones just ignore it.

 

[deslocotoco]

Robots.txt doesn't block anything. Noble crawlers typically obey it while any less than noble ones just ignore it.

Workaround suggestion?

 

[Mr Lucky]

Workaround suggestion?

Noindex every forum (under advanced options)

But if you do all the stuff above then bots aren’t getting in anyway

 

[Mr Lucky]

I imagine the biggest threat is a rogue ex employee divulging stuff, but they could do that with anything: emails, scanned paper docs etc.

 

[Max Taxable]

Noindex every forum (under advanced options)

But if you do all the stuff above then bots aren’t getting in anyway

Yeah there's nothing to crawl or index anyhow.

OP - I recommend you start a private conversation with @MySiteGuy on this. He's a highly trustworthy XF expert.